Aging 'Privacy' Law Leaves Cloud E-Mail Open to Cops

Share

Aging 'Privacy' Law Leaves Cloud E-Mail Open to Cops

Twenty-five years ago Friday, President Ronald Reagan signed legislation that for the first time provided Americans with sweeping digital-privacy protections.

The law came at a time when e-mail was used mostly by nerdy scientists, when phones without wires hardly worked as you stepped out into the backyard, and when the World Wide Web didn't exist. Four presidencies later, the Electronic Communications Privacy Act has aged dramatically, providing little protection for citizens from the government's prying eyes – despite the law's language remaining much the same.

The silver anniversary of ECPA has prompted the nation's biggest tech companies and prominent civil liberties groups to lobby for updates to what was once the nation's leading "privacy" legislation protecting Americans' electronic communications from warrantless searches and seizures.

Without such a change, the police will continue to be able to get Americans' e-mail, or their documents stored online that are more than six months old, without having to acquire a judge's permission, as long as the authorities promise it is "relevant" to a criminal investigation.

Yet there appears to be little government willpower to alter course. Apathy and outright opposition are keeping a giant swath of Americans' electronic communications exposed to warrantless government surveillance.

It wasn't always that way.

In the beginning, ECPA protected Americans' e-mail from warrantless surveillance – despite ECPA allowing the government to access e-mail without a court warrant if it was six months or older and stored on a third-party's server. The tech world now refers to these servers as "the cloud," and others just think of Hotmail, Yahoo Mail, Facebook and Gmail.

ECPA was adopted at a time when e-mail, for example, wasn't stored on servers for a long time. Instead, e-mail was held there briefly before recipients downloaded it to their inbox on software running on their own computer.

During the Reagan administration, e-mail more than six months old was assumed abandoned, and that's why the law allowed the government to get it without a warrant. At the time, there wasn't much of any e-mail for the authorities to acquire because a consumer's hard drive – not the cloud – hosted their inbox.

But technology has evolved dramatically following EPCA's passage. E-mail often remains stored on cloud servers indefinitely, in gigabytes upon gigabytes. That means the authorities may access gigs of e-mails, or other cloud-stored content, without warrants if it's older than six months. The law, believe it or not, still considers as abandoned any e-mail or other files housed on servers for more than six months.

In the age of online services such as Gmail, Dropbox, Salesforce.com and Facebook – just to name the big ones, that assumption is both outdated and dangerous.

Congress had enough foresight in the Reagan years to set privacy rules for electronic communications, regardless of how primitive those communications tools seem in retrospect. Now those same rules grant the authorities vast surveillance powers against the public, and there appears to be near-unanimous congressional support for that.

Legislation that would require police to get warrants to access any cloud data was proposed five months ago by Sen. Patrick Leahy (D-Vermont), the powerful Judiciary Committee chair.

"Since the Electronic Communications Privacy Act was first enacted in 1986, ECPA has been one of our nation’s premier privacy laws," Leahy said in a statement. "But, today, this law is significantly outdated and outpaced by rapid changes in technology and the changing mission of our law enforcement agencies after Sept. 11. Updating this law to reflect the realities of our time is essential to ensuring that our federal privacy laws keep pace with new technologies and the new threats to our security.”

The bill is likely to clear the Democratic-controlled Judiciary Committee. But the measure's chance of ultimately landing on an unreceptive president's desk are slim, given the de facto filibuster Senate Republicans are using to fight any legislation they didn't write.

And we're not just talking about protecting e-mail privacy, either.

ECPA allows the government to obtain, without a warrant, any content stored in the cloud – such as files in a Dropbox account, if it's older than six months. It goes without saying that there was no such thing as cloud-storage services available for the average Joe Sixpack when Reagan was president. Now those services have become mainstream, yet the Reagan-era law applies.

For instance, Apple's new iCloud storage service came out last week. In another six months, consumers' data stored on iCloud will begin to be up for grabs and become accessible to the government via its subpoena power, absent a court warrant.

Congress should recognize the collateral consequences to criminal law enforcement and the national security of the United States if ECPA were to provide only one means — a probable cause warrant — for compelling disclosure of all stored content. For example, in order to obtain a search warrant for a particular e-mail account, law enforcement has to establish probable cause to believe that evidence will be found in that particular account. In some cases, this link can be hard to establish.

How often the authorities request cloud-stored e-mail or data without a warrant is unclear, as neither the feds nor companies that hold such data are willing to share it. A coalition called Digital Due Process, which includes civil rights groups and some of the biggest players affected by ECPA, such as Dropbox, AOL, Microsoft and Google, want the law changed to protect their customers' privacy.

"A single e-mail is subject to multiple different legal standards in its life-cycle, from the moment it is being typed to the moment it is opened by the recipient to the time it is stored with the e-mail service provider," the group said. "To take another example, a document on a desktop computer is protected by the warrant requirement of the Fourth Amendment, but the ECPA says that the same document stored with a service provider may not be subject to the warrant requirement."

A federal appeals court ruled last year, however, that warrants for e-mail stored in the cloud for more than six months required a warrant. The 6th U.S. Circuit Court of Appeals ruling, however, only applies to Kentucky, Michigan, Ohio and Tennessee.

The 6th Circuit case centered on Steven Warshak, founder of an Ohio herbal-supplement company that marketed male-enhancement tablets. As part of a fraud investigation, the government obtained thousands of his e-mails from his ISP without a warrant. He appealed his 25-year conviction on those and other grounds, and prevailed.

The government did not appeal to the Supreme Court, meaning the circuit's decision does not set nationwide, binding precedent.

Given that neither Congress nor the administration is moving in the direction of allocating more civil liberties, especially in the aftermath of 9/11, it might be wise not to hold one's breath waiting for change. That's a fact understand all too well in Washington.

Consider that it took 19 years of lobbying by the American Civil Liberties Union and others to pass legislation President Barack Obama signed last year narrowing the sentencing disparity between crack and cocaine convictions.

When it comes to lobbying for ECPA reform, Chris Calabrese, the ACLU's legislative counsel, said "we're in it for the long haul" and referred to the two decades the organization pushed for the drug-sentencing change.

"That kind of gives you the time frame we're willing to work in," he said. "It's not what we want. We can't control these things. We just do the best we can."